| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAAH4kHaAqh1R6CGBKXNsO+uQnscwGo0Y06MTny8CebSWK9QMaw@mail.gmail.com> Date: Tue, 12 Nov 2024 11:47:51 -0800 From: Dionna Amalie Glaze <dionnaglaze@...gle.com> To: Tom Lendacky <thomas.lendacky@....com> Cc: linux-kernel@...r.kernel.org, x86@...nel.org, Ashish Kalra <ashish.kalra@....com>, John Allen <john.allen@....com>, Herbert Xu <herbert@...dor.apana.org.au>, "David S. Miller" <davem@...emloft.net>, linux-coco@...ts.linux.dev, Sean Christopherson <seanjc@...gle.com>, Paolo Bonzini <pbonzini@...hat.com>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com>, Michael Roth <michael.roth@....com>, Luis Chamberlain <mcgrof@...nel.org>, Russ Weight <russ.weight@...ux.dev>, Danilo Krummrich <dakr@...hat.com>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, "Rafael J. Wysocki" <rafael@...nel.org>, Tianfei zhang <tianfei.zhang@...el.com>, Alexey Kardashevskiy <aik@....com>, linux-crypto@...r.kernel.org Subject: Re: [PATCH v5 07/10] crypto: ccp: Add preferred access checking method On Mon, Nov 11, 2024 at 2:46 PM Tom Lendacky <thomas.lendacky@....com> wrote: > > On 11/7/24 17:24, Dionna Glaze wrote: > > sev_issue_cmd_external_user is the only function that checks permissions > > before performing its task. With the new GCTX API, it's important to > > establish permission once and have that determination dominate later API > > uses. This is implicitly how ccp has been used by dominating uses of > > sev_do_cmd by a successful sev_issue_cmd_external_user call. > > > > Consider sev_issue_cmd_external_user deprecated by > > checking if a held file descriptor passes file_is_sev, similar to the > > file_is_kvm function. > > > > This also fixes the header comment that the bad file error code is > > -%EINVAL when in fact it is -%EBADF. > > Same comment as before. This commit merely creates a helper function, so > this commit message is not appropriate. > Is this a meta-comment about how the commit presupposes being in a series with a goal, but should have a self-contained commit message? I don't know what "same comment as before" you're referring to. How about this: crypto: ccp: Add file_is_sev to identify access Access to the ccp driver only needs to be determined once, so sev_issue_cmd_external_user called in a loop (e.g. for SNP_LAUNCH_UPDATE) does more than it needs to. The file_is_sev function allows the caller to determine access before using sev_do_cmd or other API methods multiple times without extra access checking. This also fixes the header comment that the bad file error code is -%EINVAL when in fact it is -%EBADF. -- -Dionna Glaze, PhD, CISSP, CCSP (she/her)
Powered by blists - more mailing lists